Difference between revisions of "Test Assertions For Content Security Policy"

From Web Security
Jump to: navigation, search
(Test Assertions for script-src directive)
(Test Assertions for script-src directive)
Line 106: Line 106:
 
|-
 
|-
 
| 1.2.1
 
| 1.2.1
| Inline script created with .innerHtml, .outerHtml, document.write(), document.writeln(), does not execute without 'unsafe-inline'
+
| Inline script created with .innerHtml, .outerHtml, document.write(), document.writeln(), createElement() does not execute without 'unsafe-inline'
| TBD
+
| bhill2, /submitted/WG/CSP_1_2_1.php
 
|-
 
|-
 
| 1.2.3
 
| 1.2.3

Revision as of 21:30, 8 May 2013

Test Assertions for Content Security Policy

This page documents the test assertions for the Content Security Policy specification [1].

Generic Test Assertions for CSP 1.0

Assertion Test Status
0.1 default-src directive cascaedes to appropriate policies: script-src, object-src, style-src, img-src, media-src, frame-src, font-src, connect-src TBD
0.2 'self' keyword positive test TBD
0.2.1 'self fails with different scheme TBD
0.2.2 'self' fails with a different port TBD
0.2.3 'self' fails with a different host (including sub-host e.g. foo.com as self with content from bar.foo.com) TBD
0.4 test implicit scheme for a source: succeeds http -> https TBD
0.6 test implicit scheme for a source: fails https -> http TBD
0.7 'self' fails with a different port TBD
0.8 test wildcard host name matching (e.g. *.foo.com is good, www*.foo.com is bad, *www.foo.com is ???) TBD
0.9 test wildcard port number matching TBD
0.10 test implicit port number and explicit port number matching TBD
0.11 test port matching with non-digits (e.g. octal, hex) TBD
0.12 Parsing of source list and policies - semicolons, commas, URL encoded and not, etc. TBD
0.13 Verify that policies enforced for an owning document are also enforced for a Web Worker run by that document TBD
0.14 Verify policy combination logic - multiple policies combine in a least-privilege manner TBD
0.15 Verify policy combination logic - enforced and report-only policies do not interfere with each other TBD
0.16 Verify policy combination logic - multiple policies with different enforcement and different report-uris TBD
0.17 Verify that cross-origin report fetch uses anonymous request, does not accept cookies TBD
0.18 Test "dangerous" report-uris - what happens if we use javascript: for reporting? Should only be able to invoke fetch algorithm, not be handled outside the browser. what about ftp:, tel: ? maybe should have to match the scheme the page was loaded over? (what about loading something with file:/// ??) TBD
0.19 Verify that URL restriction rules correctly handle cross-domain redirects. TBD

Test Assertions for script-src directive

Assertion Test Status
1.1 Inline script does not execute with script-src and only 'self' on src list. bhill2, /submitted/WG/CSP_1_1.php
1.2 Inline script does not execute with script-src and * src list. bhill2, /submitted/WG/CSP_1_2.php
1.2.1 Inline script created with .innerHtml, .outerHtml, document.write(), document.writeln(), createElement() does not execute without 'unsafe-inline' bhill2, /submitted/WG/CSP_1_2_1.php
1.2.3 Inline event handler onLoad() does not execute without 'unsafe-inline' in the src list bhill2, /submitted/WG/CSP_1_2.php, /submitted/WG/CSP_1_1.php
1.2.4 Inline XSLT style sheets do not execute with script-src and * src list. TBD
1.3 Inline script does execute with script-src and 'unsafe-inline' in src list. TBD
1.4 Inline script using operator eval, function eval does not execute with script-src, 'unsafe-inline' in src list, but without 'unsafe-eval'. TBD
1.4.1 Eval equivalents in inline script do not execute without 'unsafe-eval'. setTimeout and setInterval with non-callable first argument, Function as a constructor, crypto.generateCRMFRequest in Gecko, others? TBD
1.5 Sourced script using operator eval, function eval does not execute with script-src, 'unsafe-inline' in src list, but without 'unsafe-eval'. TBD
1.5.1 Eval equivalents in sourced script do not execute without 'unsafe-eval'. setTimeout and setInterval with non-callable first argument, Function as a constructor, crypto.generateCRMFRequest in Gecko, others? {}.toString.constructor('alert(1)') <-- implicitly invokes Function constructor TBD
1.6 External scripts not in the script-src src list do not execute. TBD
1.6.1 External XSLT stylesheets not in the script-src src list do not execute. TBD
1.7 javascript: uris do not execute without 'unsafe-inline' in the script-src src list. TBD
1.8 bookmarklets correctly execute without 'unsafe-inline' in the script-src src list. TBD
1.9 Worker and SharedWorker cannot be constructed with scripts not in the script-src list. TBD
1.10 Script sourced from a data: uri does not execute unless that scheme is in the script-src src list TBD

Test Assertions for object-src directive

Assertion Test Status
2.1 data attribute of object element TBD
2.2 src attribute of embed element TBD
2.3 code or archive attribute of applet elemlent TBD
2.4 navigating embedded objects directly in a nested browsing context (http://www.w3.org/TR/html5/browsers.html#nested-browsing-contexts) TBD
2.5 plugin itself must not load if the associate URI is forbidden TBD


Test Assertions for style-src directive

Assertion Test Status
3.1 ignores inline style elements without 'unsafe-inline' TBD
3.2 ignores inline style attributes without 'unsafe-inline' TBD
3.3 href of link with rel=stylesheet must be in src list TBD
3.4 @import directive in stylesheet must be in src list TBD
3.5 style-src does not impact XSLT stylesheet loading TBD


Test Assertions for img-src directive

Assertion Test Status
4.1 img element src attribute must match src list TBD
4.1.1 video element poster attribute must match the src list TBD
4.2 url() and image() values from CSS properties must match src list TBD
4.3 href of link with rel=icon must match src list TBD
4.4 picture element src and srcset must be in src list TBD
4.5 src attribute of a input element of type image must match src list TBD
4.6  ??? Should we also test <image> in RSS? This is an XML grammar and there are many such, but this is one commonly rendered directly by browsers? TBD

Test Assertions for media-src directive

Assertion Test Status
5.1 video element src attribute must match src list TBD
5.2 audio element src attribute must match the src list TBD
5.3 source element src attribute must match the src list TBD
5.4 track element src attribute must match src list TBD


Test Assertions for frame-src directive

Assertion Test Status
5.1 iframe element src attribute must match src list TBD
5.2 frame element src attribute must match the src list TBD
5.3 iframe element navigation destination initiated by user click must be on the src list TBD
5.4 iframe element navigation destination initiated by meta-refresh must be on src list TBD
5.5 iframe element navigation by 302 headers and similar must be on src list TBD

Test Assertions for policy-uri directive

Assertion Test Status
6.1 Ensure that the report-uri follows the CORS spec for cross-domain requests that try to return set-cookie TBD

TODO: SVG tests?

TODO: MathML tests and script?